I worked on suricata and shorewall with nfqueue on nethserver. Suricata was segfaulting, so I reverted to snort, but I think that shorewall configuration is the same for both IDSs.
policy: loc net ACCEPT:NFQBY $FW net ACCEPT:NFQBY rules: ?SECTION ESTABLISHED # Enable NFQ for ESTABLISHED connections NFQBY loc net NFQBY net loc NFQBY net fw NFQBY fw net ?SECTION RELATED # Enable NFQ for RELATED connections NFQBY loc net NFQBY net loc NFQBY net fw NFQBY fw net Port forwards are like this: DNAT- net 192.168.x.x:143 tcp 143 - - NFQBY net loc tcp 143 - - NFQBY is an action to bypass nfqueue if snort is down. IPTABLES(NFQUEUE --queue-bypass) I hope to find time to re-evaluate suricata, I'd like to hear about your experience. -- Ciao, Filippo ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
